LastPass Hacked Again: 7 Things You Need to Know About Using a Password Manager

by | Feb 2, 2023 | Cybersecurity

If you use a password manager (or plan to), it’s important to understand how it works and how to optimize your overall security. Since 2008, LastPass has been one of the most popular and trusted password management platforms on the internet. And, until late 2022, the service had provided security and peace of mind to more than 25 million users – at least until LastPass was hacked twice within just four months (once in August 2022 and again in November 2022.)

LastPass experienced its latest “security incident” in November of 2022—the details of which remained cloudy until an official announcement was made just before Christmas. In this announcement, LastPass shared that the incident was actually a massive breach that exposed the company’s encrypted password vaults and other user data to hackers.

Not surprisingly, security professionals around the globe are now suggesting that if you still use LastPass, you ditch your membership and take actions to secure your online accounts – as soon as possible. The situation has led many to doubt the security and trustworthiness of password managers—though some argue that they’re still much safer than the alternative.

If you’ve been considering a switch to a password manager service, there are some things you need to know to help make an informed and confident decision for your business.

1. What is a Password Manager and How Do They Vary?

You should begin with an understanding of what a password manager is and how this kind of service works. Essentially, a password manager is a program that stores your passwords in a secure, third-party location. From there, you receive a single “master password” that you can use to log into any of your accounts from a synced device (smartphone, tablet, computer, etc.). This allows you to create strong, separate passwords for each of your online accounts without the hassle of having to remember them yourself. 

Not all password managers operate in exactly the same way, but that’s the general idea. Some password managers vary in how they store your passwords (online, offline, or cloud-based)—whereas some differ in how master passwords are generated and how the passwords you store are encrypted for additional protection.

2. Who Benefits From Using a Password Manager?

There are many benefits to using a password manager, especially if you’re a business owner who wants to improve security within your organization. More than likely, your employees use a wide range of apps and accounts to carry out their work on a daily basis. This requires the use of many different log-ins. Most employees will use a single password for each account so they don’t have to remember multiple passwords, which can expose your business to potential security breaches. In fact, research has found that 51% of people use the same passwords for both work and personal accounts.

With a password manager, however, your employees can use unique passwords for each account without having to remember them or write them down. From there, they can simply use the master password provided by a password manager to seamlessly access all their accounts, getting their work done efficiently and securely. 

In addition to saving your employees time, many password managers also include password generators, which provide users with safe and complex passwords to further improve security. Many password managers also allow for secure sharing of passwords and other sensitive information, which can come in handy when employees need to transfer or share important data with other team members.

3. What Makes a Password Manager Safe?

While the exact security features for a password manager can vary from one platform to another, there are many typical features that make these platforms safe to use. All password managers, for example, use some kind of data encryption that protects passwords as they’re being transferred from your device to the password manager’s servers.

The exact type of encryption used here, however, can vary. XChaCha20 encryption is the most widely used and is trusted by such companies as Google, so it is quite reliable. However, some password managers take things a step forward by using AES 256-bit encryption, which is the military standard. Both encryption options essentially “scramble” passwords so that, even if they are compromised, they are completely unreadable and unusable without the encryption key.

In some cases, password managers even offer biometric authentication in the form of fingerprint or face scans to add an extra layer of security.

4. What Do You Need to Watch For When Considering the Use of a Password Manager?

Of course, no password solution is without its potential faults. This was made clear when LastPass was hacked again, especially since the extent of the cybersecurity breach is still not entirely clear. With this in mind, there are some things to watch for when considering the use of a password manager.

First, understand that you’ll be storing all your sensitive login data in one place. This includes usernames and passwords for all the accounts you and your employees use online. Likewise, because many password managers offer storage/encryption of other sensitive data (such as credit card information), a breach could expose all of this information at once. That’s a scary thought for any business owner.

Meanwhile, because password managers require you and your employees to use a master password to access all of your linked accounts, forgetting your master password can create a lot of headaches. Recovering login information can be time-consuming and take away from your employees’ productivity.

Finally, it’s important to remember that having a password manager isn’t a foolproof way to protect your accounts. If the device that you’re using a password manager for isn’t secure, your information could still be at-risk. Consider for example, an employee using a company computer to check their email and unknowingly downloading an attachment that contains a keylogger. This keylogger can then be used by hackers to determine the employee’s master password without the need for decryption software. If additional security features (like biometric access or multi-factor authentication) aren’t in place, hackers may still be able to access this employee’s accounts.

5. How Do You Monitor Password Managers?

There are plenty of steps you can take to monitor your password manager accounts, starting with enabling multi-factor authentication (if this feature is offered). With this, you’ll be able to require users to provide two (or more) authentication factors to access an account on an unfamiliar device. Usually, this additional layer of authentication involves providing a one-time access code that comes in an email or text message. With multi-factor authentication enabled, you’ll get notified each time a user tries to access an account from a new location.

Likewise, you should take the time to update your master passwords on a regular basis (and encourage your employees to do the same). Some password managers will remind you to do this every so often, but some may not. Changing your master password to something completely unique and random at least once every few months can help to keep your information safer.

6. What Do You Need to Do if Your Password Manager is Hacked?

If you use a password manager that’s been hacked (such as LastPass), the next steps you should take really depend on the severity of the data breach. If you know that your account was involved in the breach, take the time to change your master password immediately. From there, make sure that you have set up multi-factor authentication and any other additional security layers for your account.

Be on the lookout for signs that a hacker is trying to gain additional information from you. For example, if you receive a phone call or email about the breach that asks you to click on a link or provide personal information, report this activity to your password manager service immediately.

7. How Do You Choose the Right Password Manager For Your Unique Needs—And What’s an Alternative to Manage Your Passwords?

Approximately 41 million people in the United States rely on password managers to keep their information safe online. If you’re thinking about making the switch to a password manager for your business, there are some things you should keep in mind as you explore your options. There are many different password manager services out there, ranging from “freemium” options to paid subscriptions. Ultimately, getting the most out of a password manager is all about choosing the service that’s right for your business.

Start by making sure that the password manager(s) you’re considering will be compatible with all the devices and hardware that your business uses on a daily basis. For example, if your business computers run exclusively on macOS, then you’ll need to choose a password manager that is compatible.

From there, explore the security options that each platform has to offer. Is data stored in a vault on your own computer or can it be accessed from a cloud-based server? What type of encryption is used to keep passwords safe? Likewise, what are some additional security features available to you? For example, many password managers allow users to enable multi-factor authentication, which requires additional steps (such as entering an access code sent to a linked email address) when logging in from a new device. If you need guidance on reviewing what’s best for your business needs, a co-managed IT provider may be helpful, especially if you don’t have a dedicated in-house IT team. 

You’ll also want to choose a password manager that’s easy to implement—especially if you have a larger company with many employees. While you should still expect to spend a little time training your employees on how to properly use the password manager, the idea is that you should be able to keep training/transitioning to a minimum so that you can continue with business as usual.

Last but not least, be sure to consider pricing. There are some free versions of password managers out there, but these tend to be the most “bare bones” when it comes to features. If you really want to get the most out of a password manager and enjoy the most robust security features, you’ll probably want to shell out the money for a paid subscription. For businesses, you should generally expect to pay a monthly or annual fee for each user (employee) on your account—though pricing models can vary from one company to the next.

The Bottom Line on Password Managers

In general, password managers are among the most secure and reliable ways to store your passwords and other sensitive information online. While no password storage solution is without its inherent risks, most security experts would agree that the benefits greatly outweigh the potential drawbacks. This is especially true if you choose a reputable and secure password manager and take the time to set up all available security features on your account.

Be Ready for the Next Cyberattack

Download our free guide on staying protected from ransomware.

If you’re unsure which password manager may work best for your unique business environment, let’s talk!  A conversation with an IT consultant with deep security expertise can help you feel confident in your decision of which password manager to use and safe from cyber threats that may target you. It’s always a good idea to keep an eye on your password manager activity, to change your master passwords regularly, and to remind your employees to do the same. This, in addition to following some common-sense cybersecurity awareness tips, can help to keep your company’s data safe.

 

Recent Technology News You Can Use

Check out our updates on the latest data breaches (and other cybersecurity challenges), how-to guides, and other info on trendy tech stuff.

How Can We Connect with You?

We love to connect, so pick up the phone, reach out for personalized support, or stop by our office and meet us in person! 

Let’s Talk

You have questions. We love to answer.

Customer Support

Need help? Your help desk is ready.

Plan a Visit

32 Franklin Street, Suite 500
Worcester, MA 01608